CUI Simplified - What you need to know?

cui cybersecurity small business smb Feb 28, 2022

CUI Simplified

What is CUI?

CUI is government-created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies

There are seven sub-categories within the CUI hierarchy, including:

  • Personally identifiable information (PII)
  • Sensitive personally identifiable information (SPII)
  • Proprietary business information (PBI)
  • Unclassified controlled technical information (UCTI)
  • Sensitive but unclassified (SBU)
  • For official use only (FOUO)
  • Law enforcement sensitive (LES)


Protecting CUI Exposure

CUI is exposed to four categories of company assets: 

  1. People: Responsible for creating and delivering products or services to customers
  2. Information: Data used to produce products or services, how they are designed, customer data, and order information
  3. Technology: Hardware and software used to create products or services including managed service provider or a cloud service provider
  4. Facilities: Buildings, offices, and warehouses where people use technology and information to create their products or services 


Data can be protected by on-premises data centers that includes all internal IT systems, Cloud Service Provider, or a Hybrid Solution. All options must address the 110 Security controls in NIST SP 800-171 along with a Systems Security Plan and a Program of Actions and Milestones.  


Securing CUI

CMMC addresses CUI security requirements for all DoD industry partners. It guides to ensure adequate security processes and practices are in place to protect CUI within the networks of all DoD contractors.


CMMC 2.0 contains 3 levels of maturity ranging from “basic cybersecurity hygiene” to “advanced progressive”, providing users a hierarchy of security options for CUI.


  1. Level 1, titled, “foundational” will consist of the 17 basic safeguarding controls of FAR 52.204-21. Once CMMC 2.0 is in, those required to be CMMC Level 1 will be allowed to self-assess their cybersecurity posture (annually), with leadership sign-off, and enter their score in to the Supplier Performance Risk System (SPRS).
  2. Level 2, titled “Advanced”, becomes the level for those handling CUI in non-federal systems. The 110 controls and 321 practice objectives of NIST SP 800-171 rev. 2 and NIST 800-171A are to be fully implemented. Level 2 will be divided in to two groups: "Critical to National Security Information", (require a C3PAO audit) and CUI that isn’t deemed as critical. (Can perform Self-Audit).  
  3. Level 3, titled “Expert”, goes above and beyond NIST SP 800-171, to align with NIST SP 800-172, which is a more proactive set of controls that focuses on preventing Advanced Persistent Threats (APTs). Assessments will be government-led (DIBCAC), but no further information on this currently available.

System Security Plan (SSP)

SSP describes how a company meets the security requirements for a system or how it plans to meet the requirements


For NIST 800-171 and CUI requirements, the SSP includes the necessary information about each system in your environment that processes, stores, and transmits CUI


Plan of Action and Milestones (POA&M)

Plan of Actions and Milestones (POA&M) identifies tasks that need to be accomplished. It details resources required to accomplish the elements of the plan, milestones for meeting the tasks, and the scheduled completion dates for the milestones.


Bottom line: Must possess a complete SSP and POA&M to conduct work for the Federal Government. 


Physical Safeguarding of CUI

  • Prevent unauthorized individuals from accessing, observing, or overhearing discussion of CUI. 


  • Minimum, there must be at least one physical barrier protecting the CUI. That can be a locked door, drawer, or file cabinet, provided that only those individuals with a lawful government purpose can access the CUI.


Challenges with CUI

  • Navigating the physical and cyber environment to locate the CUI
  • Not fully aware of where CUI exists in their ecosystem
  • Identification and labeling of CUI. Organizations may have numerous files and related materials that could be CUI. 
  • Who handles CUI?
  • Is the CUI contained and isolated?
  • Is CUI monitored, audited, and protected? 
  • Has the scope of CUI coverage defined?  
  • How difficult will it be to consolidate into an isolated enclave?
  • Are Physical controls in place?
  • Are Network controls in place?
  • Are Session controls in place?
  • Are Infrastructure controls in place? 
  • Are the employees handling the CUI vetted? 


Scoping Out compliance for CUI

Digital Tech Partners will guide you through the challenges by:

  • Finding the right answers
  • Shrinking the CUI coverage area by scope, network & people
  • Conduct NIST 800-171 risk assessment
  • Rank order risks and remediation activities
  • Update policy and procedures
  • Monitor & control project
  • Plan for CMMC 2.0
  • Achieve compliance 

DTP – Competitive Advantage

  • Reduce Cost by Customizing solution for each Business
  • Matching your problem with Right Solutions
  • Shrinking the area to form CUI Enclave by Identifying and protecting with right people, the right process, and the right technology
  • Reduce Cost and Complexity while achieving Compliance